Privacy Policy

Account information

When you sign in via a third-party provider (GitHub or GitLab), we receive your display name, email address, avatar URL, and provider user ID. We do not collect passwords.

Repository metadata

When you connect repositories, we store repository names, URLs, visibility status, and provider metadata needed to initiate scans. We access repositories using read-only OAuth scopes.

Uploaded archives

If you upload a ZIP archive for scanning, the file is processed in an isolated container environment. The archive and extracted contents are deleted after scan completion. We do not retain your source code.

Scan results

We store derived findings, score breakdowns, and scan metadata. These are the outputs of static analysis — not your source code itself.

Billing information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank details. We retain your Stripe customer ID and subscription status for entitlement enforcement.

Usage analytics

We use Google Analytics 4 to collect product usage signals such as page views, feature interaction events, and approximate device/browser information. This helps us understand product performance and improve the Service.

• To authenticate your account and manage sessions.
• To synchronise and list repositories from connected providers.
• To perform static analysis scans and generate risk reports.
• To enforce subscription plan limits and entitlements.
• To process payments and manage billing through Stripe.
• To communicate service updates, security notices, or billing-related matters.
• To improve the Service through aggregated, anonymised usage analytics.

We do not sell your personal information. We do not use your repository content or scan results for advertising purposes.

• Uploaded archives: Deleted immediately after scan completion.
• Scan results: Retained according to your subscription plan (7 days for Free, 30 days for Starter, 90 days for Pro).
• Account data: Retained while your account is active. You may request deletion at any time.
• Billing records: Retained as required for financial record-keeping and legal obligations.

We use the following third-party services:

• GitHub / GitLab: OAuth authentication and repository access.
• Stripe: Payment processing and subscription management.
• Google Analytics: Product analytics and performance measurement.

Each provider has its own privacy policy. We encourage you to review them.

• All repository content is treated as untrusted input.
• Scans are static-only — your code is never executed.
• Provider tokens are encrypted at rest.
• Access to sensitive operations is enforced server-side with authentication and authorisation checks.
• The application enforces Content Security Policy, HSTS, and other security headers.
• Archive processing occurs in isolated container environments.

While we take reasonable measures to protect your data, no system is completely secure. You are responsible for maintaining the security of your own provider accounts.

You have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your account and associated data.
• Revoke provider access tokens through your GitHub or GitLab settings.
• Cancel your subscription at any time.

To exercise any of these rights, contact us at hello@repowatch.io.

We use essential cookies for authentication and session management. We also use analytics technologies from Google Analytics to understand how the Service is used.

We do not use analytics data for advertising personalisation. You can limit analytics collection by blocking cookies in your browser, using privacy controls, or using Google's opt-out tools where available.